fix(wip): uncontrolled data used in path expression

0xJacky · 0xJacky · commit e91ea6bc346d · 2024-07-30T14:54:20.000+08:00
diff --git a/api/certificate/certificate.go b/api/certificate/certificate.go
@@ -4,6 +4,7 @@ import (
 	"github.com/0xJacky/Nginx-UI/api"
 	"github.com/0xJacky/Nginx-UI/internal/cert"
 	"github.com/0xJacky/Nginx-UI/internal/cosy"
+	"github.com/0xJacky/Nginx-UI/internal/helper"
 	"github.com/0xJacky/Nginx-UI/internal/nginx"
 	"github.com/0xJacky/Nginx-UI/internal/notification"
 	"github.com/0xJacky/Nginx-UI/model"
@@ -25,7 +26,8 @@ type APICertificate struct {
 func Transformer(certModel *model.Cert) (certificate *APICertificate) {
 	var sslCertificationBytes, sslCertificationKeyBytes []byte
 	var certificateInfo *cert.Info
-	if certModel.SSLCertificatePath != "" {
+	if certModel.SSLCertificatePath != "" &&
+		helper.IsUnderDirectory(certModel.SSLCertificatePath, nginx.GetConfPath()) {
 		if _, err := os.Stat(certModel.SSLCertificatePath); err == nil {
 			sslCertificationBytes, _ = os.ReadFile(certModel.SSLCertificatePath)
 			if !cert.IsCertificate(string(sslCertificationBytes)) {
@@ -36,7 +38,8 @@ func Transformer(certModel *model.Cert) (certificate *APICertificate) {
 		certificateInfo, _ = cert.GetCertInfo(certModel.SSLCertificatePath)
 	}
 
-	if certModel.SSLCertificateKeyPath != "" {
+	if certModel.SSLCertificateKeyPath != "" &&
+		helper.IsUnderDirectory(certModel.SSLCertificateKeyPath, nginx.GetConfPath()) {
 		if _, err := os.Stat(certModel.SSLCertificateKeyPath); err == nil {
 			sslCertificationKeyBytes, _ = os.ReadFile(certModel.SSLCertificateKeyPath)
 			if !cert.IsPrivateKey(string(sslCertificationKeyBytes)) {
diff --git a/api/config/modify.go b/api/config/modify.go
@@ -47,7 +47,7 @@ func EditConfig(c *gin.Context) {
 		return
 	}
 
-	if _, err := os.Stat(path); os.IsNotExist(err) {
+	if !helper.FileExists(path) {
 		c.JSON(http.StatusNotFound, gin.H{
 			"message": "file not found",
 		})
diff --git a/app/src/version.json b/app/src/version.json
@@ -1 +1 @@
-{"version":"2.0.0-beta.29","build_id":152,"total_build":356}
+{"version":"2.0.0-beta.29","build_id":154,"total_build":358,"status_hash":"4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945"}
diff --git a/internal/cert/cert_info.go b/internal/cert/cert_info.go
@@ -3,6 +3,8 @@ package cert
 import (
 	"crypto/x509"
 	"encoding/pem"
+	"github.com/0xJacky/Nginx-UI/internal/helper"
+	"github.com/0xJacky/Nginx-UI/internal/nginx"
 	"github.com/pkg/errors"
 	"os"
 	"time"
@@ -16,6 +18,10 @@ type Info struct {
 }
 
 func GetCertInfo(sslCertificatePath string) (info *Info, err error) {
+	if !helper.IsUnderDirectory(sslCertificatePath, nginx.GetConfPath()) {
+		err = errors.New("ssl certificate path is not under the nginx conf path")
+		return
+	}
 	certData, err := os.ReadFile(sslCertificatePath)
 	if err != nil {
 		err = errors.Wrap(err, "error read certificate")
diff --git a/internal/cert/payload.go b/internal/cert/payload.go
@@ -53,15 +53,15 @@ func (c *ConfigPayload) GetKeyType() certcrypto.KeyType {
 
 func (c *ConfigPayload) mkCertificateDir() (err error) {
 	dir := c.getCertificateDirPath()
-	if _, err = os.Stat(dir); os.IsNotExist(err) {
+	if !helper.FileExists(dir) {
 		err = os.MkdirAll(dir, 0755)
 		if err == nil {
 			return nil
 		}
 	}
 
-	// For windows, replace # with * (issue #403)
-	c.CertificateDir = strings.ReplaceAll(c.CertificateDir, "#", "*")
+	// For windows, replace * with # (issue #403)
+	c.CertificateDir = strings.ReplaceAll(c.CertificateDir, "*", "#")
 	if _, err = os.Stat(c.CertificateDir); os.IsNotExist(err) {
 		err = os.MkdirAll(c.CertificateDir, 0755)
 		if err == nil {
diff --git a/internal/chatbot/context.go b/internal/chatbot/context.go
@@ -33,6 +33,11 @@ func (c *includeContext) extractIncludes(filename string) {
 		return
 	}
 
+	if !helper.IsUnderDirectory(filename, nginx.GetConfPath()) {
+		logger.Error("File is not under the nginx conf path: ", filename)
+		return
+	}
+
 	// Read the file content
 	content, err := os.ReadFile(filename)
 	if err != nil {
diff --git a/internal/helper/tar.go b/internal/helper/tar.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func UnTar(dst, src string) (err error) {
@@ -37,6 +38,8 @@ func UnTar(dst, src string) (err error) {
 				return errors.Wrap(err, "unTar tr.Next() error")
 			case hdr == nil:
 				return
+			case strings.Contains(hdr.Name, ".."):
+				return
 			}
 
 			dstFileDir := filepath.Join(dst, hdr.Name)

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func EditConfig(c *gin.Context) {`
`47`	`47`	`return`
`48`	`48`	`}`
`49`	`49`
`50`		`- if _, err := os.Stat(path); os.IsNotExist(err) {`
	`50`	`+ if !helper.FileExists(path) {`
`51`	`51`	`c.JSON(http.StatusNotFound, gin.H{`
`52`	`52`	`"message": "file not found",`
`53`	`53`	`})`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"version":"2.0.0-beta.29","build_id":152,"total_build":356}`
	`1`	`+{"version":"2.0.0-beta.29","build_id":154,"total_build":358,"status_hash":"4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945"}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"io"`
`8`	`8`	`"os"`
`9`	`9`	`"path/filepath"`
	`10`	`+ "strings"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`func UnTar(dst, src string) (err error) {`
`@@ -37,6 +38,8 @@ func UnTar(dst, src string) (err error) {`
`37`	`38`	`return errors.Wrap(err, "unTar tr.Next() error")`
`38`	`39`	`case hdr == nil:`
`39`	`40`	`return`
	`41`	`+ case strings.Contains(hdr.Name, ".."):`
	`42`	`+ return`
`40`	`43`	`}`
`41`	`44`
`42`	`45`	`dstFileDir := filepath.Join(dst, hdr.Name)`